BlackBerry without BES

RIM’s little smartphones are some of the most popular devices on the market – but BES is complex and costly. How can you get customers online without the cost of a full BlackBerry server?

If you want secure mobile email, with tight, effective device management, there’s really no alternative to RIM’s Black-Berry and it’s rightly popular with small businesses. There’s one downside; the cost of the BlackBerry Enterprise Server that routes the mail and handles the device management. For most small and medium sized businesses it’s really only mail, contacts and calendaring that matter, and BES’s advanced features are overkill. It’s a great tool, but too expensive for smaller businesses’ budgets and a significant amount of work for you – but BIS doesn’t offer enough for business.

BES Express’ Web-based administration console will be very familiar to anyone who’s worked with BES 5.0. Every-thing’s where you’d expect it, and the main difference is the reduced number of IT management policy options.

With the smartphone boom, more and more users are buying devices of their own, and while iPhone and Android get much of the press, RIM is quietly selling millions of BlackBerrys to consumers – who want to connect their devices to their business email and contacts. Bring Your Own Device is an increasingly popular way of reducing the costs of mobile email for SMBs, and BlackBerrys work well enough using desktop sync tools – but even better when connected to a push email server.

Those push email servers don’t have to be a full-blown BES install. There are alternatives, from RIM and from other companies, as servers, or on the device. For some time now RIM has offered a SMB version of BES, the BlackBerry Professional Server, with fewer features and a much lower price. The arrival of BES 5.0 changed things considerably. BPS had always lagged behind BES, and with its new Web front end BES 5.0 was offering self-service features that BPS couldn’t provide. BIS, the consumer-focussed BlackBerry Internet Service, offers SMB’s some options, but it misses many of the control and management features of BES, and only handles email from POP, IMAP and Outlook Web Access, without BES’s near real-time push capabilities. For a while RIM offered Unite, a workgroup tool for a small number of BlackBerrys, which added calendar and contact synchronisation on top of BIS email. Intended for families and micro-businesses it could connect up to five devices but RIM announced last year that this would no longer be developed and BPS would be replaced.

RIM’s usual wizard-driven setup for BES Express walks you through the steps you need to get your new server online and connected to both an Exchange server and the BlackBerry network.

Introducing BES Express

BPS’s successor has finally arrived, in the shape of BES Express, and this time it’s a free download, with no need to purchase CALs for users. It even supports devices that don’t have an enterprise data plan which makes BlackBerrys much cheaper for a small business (though they will need to be activated at a desktop PC). All you need to do is fill in one form, install the software, and you’re able to support anything up to 2,000 devices on a single server. Currently only available for use with Exchange, BESX is based on BES 5.0, sharing its Web-based management tools (and still offering the same self-service tools for users). It even supports BES’s new VPN-less remote file access features. There are only a few key differences and few of these are a problem for small businesses:

Devices need to be provisioned over the air, or connected to a PC.

There’s no BlackBerry Monitoring Service, so no built-in analysis tools and no monitoring dashboards.

You can’t use the BlackBerry Enterprise Transporter to move users from one BlackBerry domain to another.

BES Express also can’t be part of the same BlackBerry domain as a BES server. BlackBerry domains are not the same as Active Directory, so you can roll out a BES with its additional features for one set of users, and a BES Ex-press for the rest of the business, while keeping everyone in the same Active Directory.

Installing BES Express

RIM suggests that BES Express can be installed on the same server as Exchange (if you add an additional 1.5GB of RAM), when you’re connecting it to fewer than 75 devices. While it’s certainly possible, we’d recommend at the very least installing in a separate virtual machine from your Exchange system as we have seen issues on some systems. BES Express is less of a resource hog than a full BES 5 install, but it can still be quite demanding, especially when working with large attachments. If you are planning a large installation, with a lot of users, then RIM recommends putting the BES Express configuration database on a separate server. The largest installs also need the administration tools on a separate system.

Virtualisation offers an alternative approach, partitioning your BES Express from the other applications on a server. We’ve found it runs happily in a virtual machine, using either Hyper-V R2 or VMware. You’ll need to allocate at least two virtual processors to a BES Express VM, along with 2GB of RAM. There’s no need to use an Enterprise install of Windows Server; Standard works just fine, especially if BES Express is the only application you intend to run. Using a VM also helps with disaster recovery, and with backup, ?using VM snapshots to backup running VMs, ready for recovery.

Installing BES Express is a relatively simple process. You first need to fill out the appropriate order forms on the RIM Web site (na.blackberry.com/eng/services/business/server/express/), and then download the server from a link that will be sent to you by email. You’ll need to do this for every copy of BES Express you want to install, as the download page includes the registration codes needed to both run the server and to connect to the BlackBerry network. Keep a record of the codes and serial numbers used for support and re-installation purposes.

As with BES 5.0, you’ll need to have the appropriate firewall ports open, as well as set up system accounts for BES Express to use. BES Express uses the same TCP port 3101 as BES for communication with the BlackBerry network, so you’ll need to open this on the server and network firewalls. You’ll also need to open an incoming port in the Win-dows firewall on your BES Express server for the Web-based administration and self-service tools. A standard installation uses port 3443 for HTTPS connections – even if it’s the only Web server running on the machine.

You can use the Exchange Management Console to set up the accounts you need for BES Express. Under Recipient Configuration create a new User Mailbox (along with an account and password) for “besadmin”, much as you would for any other user. You’ll then need to use the Exchange Management Shell to make besadmin a ViewOnlyAdmin, with Receive-As and Send-As permissions. You’ll also need to make besadmin a local administrator on the BES Express server, with Log on locally and Log on as a service rights.

Again, like earlier versions of BES, BES Express requires you to download and install Microsoft’s MAPI client and CDO 1.2.1 ?to manage its connection to your clients’ Exchange servers. This is software worth keeping on a USB stick, as it’s required by most applications that work with Exchange, and Microsoft doesn’t license it for bundled distribution.

Installing BES Express is straightforward. Log in to your server using the besadmin account, as a local administrator. Unsurprisingly BES Express has the same installer as BES, so if you’ve installed BES before you’ll find the process very familiar. If it’s new to you, then RIM’s installer walks you through the process, from agreeing to the BES licence, to creating the configuration database (and installing SQL Server). You’ll need to fill in the login details for the besadmin account, as well as setting up its Exchange connection. The install will reboot the server once, so make sure you log in with the besadmin account to finish the install. ?It’s best to use Windows credentials wherever possible, especially when connecting to and configuring the BES Express databases. Once the database is set up, you’ll need to fill in the licence details, using the information from the download screen. Use the CAL Authentication Key to licence the server, and the Serial number and License Key to set up the SRP connection to the BlackBerry network. Next you’ll set up the connection to your Exchange server,? and the BES Express installer will launch ?the MAPI client configuration tool to make the connection.

The last few steps entail creating a password for the SSL certificate that BES Express uses to secure its Web user interface, and giving BES Express access to your Active Directory. You’ll need AD access, so BES Express can ex-tract mailbox details when setting up new users. Finally you’ll need to set up an administrator account for BES Ex-press itself. While you can use BES’s own authentication tools, we’d recommend using the AD integration to use an existing administrator account as a BES Express administrator – that way there’s less chance of losing passwords. You can now start the BES Express services, which give your clients’ users mobile email. The installer will finish by giving you the console addresses, for the administration service and for the user self-service Web Desktop Manager. Copy and paste these for later distribution and for your records.

Running BES Express

Running BES Express is much like running BES 5. Again, that shouldn’t be a surprise – after all, the two servers are pretty much the same under the hood. The biggest difference is the number of device management policies you can set, with BES Express only offering 35 or so policies. This means you won’t get the fine-grained management of a full BES install, but you will be able to control much of what your users can do and the policies are well suited to what most businesses want to manage.

Like the full BES, BES Express supports groups. You can use these to manage different sets of users together – so the same device properties can be delivered to all sales BlackBerrys, or to all devices in engineering. Groups can have child groups, which allow you to refine the policies given to different areas of an organisation. You could set up a Sales group with one set of policies, and a child group in Marketing, which would use the same base set of policies as Sales, with minor changes to suit the needs of the Marketing team.

Users are imported from Active Directory, and need to be added to BES. You can use the Web administration tools built-in search to find users. Once you’ve selected the users, you can quickly add them to a specific server (if you’re running more than one BES Express instance), as well as to a specific group. If your users have BlackBerrys that have previously been provisioned for BES, you can automatically generate passwords that can be used for an over-the-air activation. Users without enterprise-enabled BlackBerrys should be created without a password, and their devices activated from the PC you're running the Web client on. Connect the device to a PC running the administra-tion Web application (it needs to be a Windows PC, running Internet Explorer and with the BlackBerry device man-agement ActiveX control installed). Use the Manage current device option to assign a user to the device, and to deliv-er BlackBerry services to a consumer phone. Select a user account and associate it with the device – and their BlackBerry will be connected to the BES Express server, ready to receive email.

The Web-based administration tool makes it easy to create and apply IT policies to devices. Start by giving a policy a name, and then editing its values. You can control whether or not the camera is available, for instance, as well as managing the security of mail, and setting device password policies. There aren’t a lot of policies available with BES Express, but those that are available are more than enough for most SMBs. Most importantly, you can lock or wipe lost devices remotely.

Once created, polices can either be assigned directly to a user, or to a group. You can also use the Web-based man-agement tools to define and deliver software to a specific group, ensuring that they have the tools they need to do their jobs.

Creating a BlackBerry user with BES Express

It’s easy to create new users and assign them to devices using BES Express. They’ll need an email account on a connected Exchange server, and you’ll need to use the BlackBerry administration service to connect the account to their BlackBerry.

Start by searching the Active Directory for messaging-enabled users. You can get a list of all the available users, or if you know an email address you can quickly fill in their details.

Next assign the user to a BlackBerry server. BES Express’ administration tools can manage more than one BES Ex-press server. You can also assign a user to a group to simplify deploying IT management policies to devices.

Once you’ve created a user, give them an activation password for over-the-air activation of an enterprise BlackBerry or use the Web consoles ActiveX-based BlackBerry connector to activate a non-enterprise enabled BlackBerry.

Sync straight to your phone

While BES Express is a low-cost alternative to BES, you still really need to deploy an additional server. If space and budget are at a premium, there are other ways to get mail onto BlackBerrys, without resorting to the consumer BIS network. One option is to use Exchange’s own over-the-air push tools. Originally designed for work with Windows Mobile devices, Exchange ActiveSync is more than a mail synchronisation tool; it also handles calendar information and contacts – as well as managing device profiles and security, and offering a remote wipe feature for lost or stolen phones.

Setting up AstraSync is much like setting a Windows Mobile phone. You’ll need a user’s email address, the ful-ly-qualified Internet-accessible domain name of their Exchange server, along with log-in details.

Third-parties can licence the protocol from Microsoft to get direct push mail access to Exchange, with no need for any intermediate push service. Microsoft’s Exchange ActiveSync protocol has been used by Windows Mobile, Android, Symbian and iPhone devices. It’s not only for devices, either, as there’s a long list of servers and services that support the protocol, including: MailSite Fusion, Exchange Online, BPOS, CommuniGate Pro, Zimbra, Scalix, FirstClass, Open-Xchange, KerioMailServer, SmarterMail, Axigen, Google Sync and Gmail. While RIM’s not going to support Exchange ActiveSync on its phones, as it competes with the BlackBerry network’s services, third-party developers have been quick to adopt it and to develop mail clients that connect directly to any server that supports the protocol. You won’t get the same unified inbox experience as you get with RIM’s own mail clients – the RIM licence only lets developers produce separate mail clients, using J2ME, though they sync directly to the BlackBerry contacts and calendar applications. AstraSync also works with Google’s Sync Server, so you can get Gmail on the BlackBerry without needing the Google Sync software.

Users will find the AstraSync mailbox very like their familiar BlackBerry inbox, with support for flags and details of read and unread messages. It’s clear and easy to use, with HTML message support that reformats messages for the smaller BlackBerry screen.

AstraSync

AstraSync is an EAS-powered mail client for BlackBerry devices. Users can install it over the air but you’ll need to either provide users with detailed setup instructions, or set up devices yourself, as the setup process is a lot more complex than the usual BlackBerry activation. There’s also the issue that it’s not signed by RIM (RIM doesn't sign J2ME apps), so users will need to explicitly accept the installation of an unsigned application. Once it’s installed your (or the user) need to first detect the available network connections. AstraSync will prefer to use a Wi-Fi connection for the initial setup, but works happily over both EDGE and 3G networks.

Before setting up synchronisation, users who use Desktop Manager to manage their devices will need to turn off desktop synchronisation – otherwise there’s a risk that email, calendar and contacts could be duplicated. A first sync will delete existing device content to reduce this risk, but if Desktop Manager is still synchronising the device and PC, there will be conflicts between device, PC and phone. Devices also need to have Content Protection disabled, as it stops third-party applications like AstraSync from accessing and modifying the calendar and contact data.

Windows Mobile users will find AstraSync pleasingly familiar, right down to the options for managing synchronisation. The default is to sync every ten minutes, and if users want push mail you’ll need to set this manually. If you’re not using it to synchronise calendars, AstraSync happily works alongside BES, so you can use it to give clients access to multiple email accounts on one device (something that also works well for you as a tool for receiving management email messages from client servers).

The mail inbox has the familiar BlackBerry look (and the familiar BlackBerry keyboard shortcuts). Users get full two-directional sync for read unread and deleted messages, which BIS does not currently offer, and there is a handy view showing when mail was last delivered. It supports HTML mail and Outlook flags (useful if your clients are using BlackBerrys as an adjunct to a desktop mail client), though with fewer options than the inbox in BlackBerry OS 5. You can mirror specific folders; it’s easy to use tools like this to only carry a subset of a desktop mail client.

One thing to note is that AstraSync doesn’t handle attachments quite the same way as the normal BlackBerry mail. Users will need to download applications through a separate screen from their message, and then use the BlackBerry’s built-in viewers. Calendar settings are again very similar to Windows Mobile, with the ability to choose how far back you want devices to sync.

AstraSync’s reseller agreement includes second-line support for problems, using built-in diagnostic logging options.

NotifySync

NotifySync is a similar tool to AstraSync, with many of the same features. It also offers HTML mail, and lets you mirror folders to the phone. NotifySync also handles Tasks, so you can use it for all your clients’ PIMre-quirements.

There are a couple of caveats with both these applications. If you want to use the calendar features you will need to ensure that the CICAL service books have been deleted on the device before syncing the calendar. Otherwise there could be conflicts with the BlackBerry service. If a BlackBerry only has a BIS tariff, it won’t currently work with Exchange push services even with a third-party mail clients; devices need to have a standard data plan in addition to a BlackBerry plan to use the direct TCP connection to the server. Devices with BIS-only connections will only be able to get mail delivered on a similar schedule to BIS’s own email service, though they still have much deeper Exchange capabilities than BlackBerry’s own consumer services. Either way, it’s still much cheaper than paying for a BES tariff.